Vulnerability to cache poisoning -- the rest of the solution

Jeff Lightner jlightner at water.com
Mon Jul 14 17:47:08 UTC 2008 

My intent is to use the patched version from RedHat.  Their advisory on
the issue and update is at:
http://rhn.redhat.com/errata/RHSA-2008-0533.html

Specifically I'd be using what they call 9.3.4-6.0.2.P1.  I think this
is basically 9.3.4-P1 but is customized by RedHat to include fixes from
later BIND versions.  (See discussion with Adam Tkac of RedHat on list a
couple of weeks back about why he doesn't want to roll out later BIND
versions in updates.)

However, now I'm wondering if that will be sufficient.   Their notes in
that link and the two bug links referred to within it seem to suggest
the change was only to take the offending query port restriction out of
their sample named.conf (and of course I'd have to take it out of my
live one).   What you wrote makes me wonder if there wasn't a code
update needed to make it behave more like one of the later BIND versions
to do real port randomization.   

It isn't clear to me whether or not they made any customization of the
code to address this or not.

I guess I'll try to update they have then run the dig test to see if it
really is giving me random ports at that point.

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Alan Clegg
Sent: Monday, July 14, 2008 1:21 PM
To: bind-users at isc.org
Subject: Re: Vulnerability to cache poisoning -- the rest of the
solution

Jeff Lightner wrote:
> Someone stated positively that I couldn't have had queries or
transfers
> working with port firewall restricted to port 53 so I was looking for
> more information about that statement as obviously my BIND is working.
Ok, prior to 9.5.0, BIND chose a high, random UDP port on startup and
used that for the life of the process for outbound queries.

9.5.0 improved that by choosing a small pool and changing port every 15
minutes.

-P1 introduced a per-query randomization across all available high
ports.

The betas (9.5.1b2) and (9.4.3b1) allow fine-grained control for the UDP
ports used.

All of the above can be over-ridden using the (evil) "udp-source port
XX" statement in your configuration.

All BIND versions use high, random ports for TCP connections.

> Separately I was then also asking for details about what should be
> opened for recursive queries.  Is it udp only?  Tcp & udp?   Finally I
> was asking for specific range information.   That is if I tell it
random
> does that mean it automatically goes to ports above 1024.  Further I
> wanted to verify there wasn't anything in BIND that was restricting it
> to a range as some applications do.   That is to say is it complete
> random or random within a range? 

See above.  Answer depends on "what version are you running?"

AlanC
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------

More information about the bind-users mailing list